Developments and challenges in authentication and

authorisationKlaas Wierenga

klaas.wierenga@surfnet.nlBerlin, 23 May 2006

High-quality Internet for higher education and research

Agenda

• Federations• Drivers for (identity)

federations• Key developments• Challenges• Summary

High-quality Internet for higher education and research

Federations

Identity Provider

User

Resource Provider

Resource

TrustOrganisation BOrganisation A

Federations are about sharing resources across organisational borders

High-quality Internet for higher education and research

Drivers for (identity) federations

Organisational• Users are becoming increasingly mobile

– Bologna process, ECTS– E-learning for everyone

• Research is getting to “large” to do alone– Collaboration is common, projects cross organisational borders– Grids

• Self serving interfaces, changes in workflow inside university– Employees and students get tasks from administration– Cutting cost

Technical• Higher need for security without stopping people from studying or doing resarch• Two-sided communication gets replaced by multidimensional web services, SOA• Centralising applications in order to individualise services

– Personalisation gets more important

Political and societal• Government AAI (and commercial IdPs)

– Interconnections

High-quality Internet for higher education and research

Federations are happening

HAKA

JISC federation

DK-AAI

• Applications outsourcing their users– To the home institution of the user– To a single place at the home institution

• Academic identity federations are operational– Real services used everyday by large

amount of users– Research and educational applications

are federated

• Federation software available in the marketplace

• Infocard– Making "identity" tangible to users

• Convergence is there– With SAML as lingua franca

High-quality Internet for higher education and research

Organisational Challenges

• Local identity management

• Provisioning– must be understood both on campus and in

applications

• Managing roles and attributes

• Scalability problems (many sources of authority)

High-quality Internet for higher education and research

Technical Challenges (1)

• Horizontal integration– Government federations– Commercial federations (Liberty Alliance, WS-*

based)– Across national boundaries

• Vertical integration– Web SSO, eduroam, grids– Lightpath provisioning (GLIF), measurement

and monitoring (PerfSonar)– E-mail, IM, SIP, SSH

High-quality Internet for higher education and research

Technical Challenges (2)• External IdP’s

– Different levels of authentication– Different levels of authorisation

• From authentication to authorisation– Do those enterprise directories really contain authoritive

authorisation information?

• Security constraints– Policy and technology

• N-tier problems– Where are the attributes?

High-quality Internet for higher education and research

Political and Societal challenges

• Privacy– Locally– Within federations– Across Europe– World-wide

• Interconnection policies– building federations– bridging federations

• Integration of enterprise and federated identity with personal identity

• Agreement on consistent approaches to authentication

High-quality Internet for higher education and research

Summary

• Educational federations are happening

• Convergence to (small number of) standards– SAML

• International federations are emerging– eduroam– Grids– Géant2 AAI (eduGAIN)

• Federations are moving up into the stack• But campus issues remain a concern

High-quality Internet for higher education and research

Thanks to

• Ken Klingenstein (Internet2)• Diego Lopez (RedIRIS)• Ingrid Melve (UNINETT)• Bob RL Morgan (Internet2)• Milan Sova (CESNET)• Torbjorn Wiberg (Umea University)